The process of booting a computing device prepares the computing device to perform useful tasks under control of an operating system. The initial application of power to the electronic circuitry of a computing device generally only renders the computing device capable of performing rudimentary tasks, such as fetching instructions embedded into hardware components of the computing device. Thus, the boot process executes those instructions, and initiates processes that enable a computing device to perform more complex tasks. However, because the boot process performs operations prior to the execution of the operating system and any other software whose execution utilizes the operating system, malicious code executed during the boot process can remain undetected but can affect the ongoing execution properties of the system.
To provide protection against malicious code, the notion of a “trusted computer” was developed whereby the state of the computing device could be ascertained. To that end, a “Trusted Platform Module” (TPM) chip was added to the computing device, which could maintain values in a secure manner and, therefore, be used to ascertain if the computer had booted properly. In particular, the TPM chip comprises registers known as “Platform Configuration Registers” (PCRs) that store values that uniquely identify measurements of the system that have been taken since power was applied to the circuitry of the computing device. These measurements are indicative of the software that is executed during the boot process and of the presence and configuration of various hardware components. If the proper measurements were made in the correct order, then the PCRs of the TPM would contain unique values that could be used to verify that the computing device did indeed boot in a recognizable way. If the measurements are recognized to represent a computer that has booted in a trusted way, then the machine is in a trusted state when it begins executing the operating system software. In such a manner, malicious code in the boot sequence can be detected.
The measurements that are made during the boot process are combined to define the trust state of the machine. The measurements are, therefore, considered to represent the so called “Trusted Computing Base” (TCB). Unfortunately, not all measurements taken during the booting of a computing device comprise an equivalent security risk. Thus, using the TPM to verify all of the instructions executed during the booting of a computing device can complicate the evaluation of the TCB beyond what it reasonably needs to be. As a result, deviations that would otherwise be insignificant can result in an inability to determine if the computer is in a trusted state. Consequently, some CPU manufacturers have added specific CPU instructions to their instructions sets that can be used to implement a more dynamic concept of a TCB. The relevant CPU instruction causes the CPU to perform a number of tasks. For example, the CPU can be instructed to protect an identified sequence of instructions, usually by placing the instructions into the CPU's cache memory and then locking it to prevent modifications by outside agents such as a Direct Memory Access (DMA) instruction. In addition, the relevant CPU instruction can reset the “Dynamic Root of Trust of Measurement” (DRTM) PCRs, in particular PCRs 17 through 20, in the TPM to a value of zero, and can then transmit the contents of the protected sequence of instructions to the TPM, which can create a secure hash of this code and store it into PCR 17. Lastly, the relevant CPU instruction can cause the CPU to begin execution of the measured, protected code. Consequently, at the end of this sequence of operations, PCR 17 will contain a value that uniquely identifies the protected code executed by the CPU from its cache memory. Additional code that can be executed after the relevant CPU instruction can also be measured and that measurement can then be combined into one or more of the PCRs 17 through 20. The TCB, as represented by the measurements combined into PCRs 17 through 20, can thus comprise only the code executed since the invocation of the relevant CPU instruction rather than all of the code which executed since the time that the machine was booted. This reduces the size of the TCB and simplifies the trust evaluation of the system.